Hello, I've been asked to create a report that will show the number of events from the 2 previous quarters by country, the monthly average, and the quarterly percent increase:
Country
Q1'22 Total
Q1'22 Monthly Avg
Q2'22 Total
Q2'22 Monthly Avg
Q2'22 Percent Increase
US
300000
100000
330000
110000
10%
UK
60000
20000
61000
20333
2%
Canada
1200
400
1500
500
25%
Using this:
index=mydata earliest=-2q@q latest=-q@q
| chart dc(ID) as count_earlier by Country
| appendcols
[ search index=mydata earliest=-q@q latest=@q
| chart dc(ID) as count_later by Country]
| eval ave_earlier=round(count_earlier/3,0)
| eval ave_later=round(count_later/3,0)
| eval DiffPer=round(((count_later - count_earlier) / count_earlier) * 100,0)."%"
| table ReportersCountry,count_earlier,ave_earlier,count_later,ave_later,DiffPer
Now I'm trying to rename count_earlier, ave_earlier, count_later, and ave_later to be the quarter labels. I've been using:
| convert TIMEFORMAT="%m" ctime(_time) AS month
| rex field=date_year "\d{2}(?<short_year>\d{2})"
| eval quarter=case(month<=3,"Q1",month<=6,"Q2",month<=9,"Q3",month<=12,"Q4",1=1,"missing")."'".short_year
And have been trying to use eval {} to rename the columns but haven't quite figured it out.
I also tried using chart which allows me to get the quarter headers, but then I couldn't figure out how to calculate the percent difference column.
Thanks for any help in advance!
... View more